Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System

Chapter 1
Introduction to Information

Security

Chapter Overview
This opening chapter establishes the foundation for understanding
the broader field of information security. This is accomplished by
defining key terms, explaining essential concepts, and reviewing the
origins of the field and its impact on the understanding of information
security.
Chapter

Objectives

When you complete this chapter, you will be able to:

Define information security
Relate the history of computer security and how it evolved into
information
security
Define key terms and critical concepts of information security as
presented in
this chapter
Discuss the phases of the security systems development life
cycle
Present the roles of professionals involved in information
security within an
organization
Introduction
Information security in todays enterprise is a well-informed sense of
assurance that
the information risks and controls are in balance. Jim Anderson,
Inovant (2002)
Before we can begin analyzing the details of information security,
it is necessary to review the origins of this field and its impact on
our understanding of information security today.
The History of Information

Security

The need for computer security, or the need to secure the physical
location of hardware from outside threats, began almost immediately
after the first mainframes were developed.
Groups developing code-breaking computations during World War II
created the first
modern computers.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System

Badges, keys, and facial recognition of authorized personnel controlled

access to
sensitive military locations.
In contrast, information security during these early years was
rudimentary and mainly
composed of simple document classification schemes.
There were no application classification projects for computers or
operating systems at this time, because the primary threats to
security were physical theft of equipment, espionage against the
products of the systems, and sabotage.
The 1960s
During the 1960s, the Department of Defenses Advanced
Research Procurement Agency (ARPA) began examining the
feasibility of a redundant networked communications system
designed to support the militarys need to exchange information.
Larry Roberts, known as the founder of the Internet, developed the
project from its
inception.
The 1970s and 80s
During the next decade, the ARPANET grew in popularity and use, and
so did its
potential for misuse.
In December of 1973, Robert M. Metcalfe indicated that there were
fundamental
problems with ARPANET security.
Individual remote users sites did not have sufficient controls and
safeguards to protect
data against unauthorized remote users.
There were no safety procedures for dial-up connections to the
ARPANET.
User identification and authorization to the system were nonexistent.
Phone numbers were widely distributed and openly publicized on the
walls of restrooms
and phone booths, giving hackers easy access to ARPANET.
The movement toward security that went beyond protecting physical
locations began
with the Rand Report R-609, sponsored by the Department of Defense,
which
attempted to define multiple controls and mechanisms necessary for
the protection of a

multilevel computer system.

The scope of computer security grew from physical security to include:
Safety of the data itself
Limiting of random and unauthorized access to that data

Involvement of personnel from multiple levels of the organization

At this stage, the concept of computer security evolved into the more
sophisticated
system we call information security.
MULTICS
Much of the focus for research on computer security centered on
a system called MULTICS (Multiplexed Information and Computing
Service).
In mid-1969, not long after the restructuring of the MULTICS project,
several of the key
players created a new operating system called UNIX.
While the MULTICS system had planned security with multiple security
levels and
passwords, the UNIX system did not.
In the late 1970s, the microprocessor brought in a new age of
computing capabilities
and security threats as these microprocessors were networked.
The 1990s
At the close of the 20th century, as networks of computers became
more common, so too did the need to connect the networks to each
other. This gave rise to the Internet, the first manifestation of a global
network of networks.
There has been a price for the phenomenal growth of the Internet,
however. When
security was considered at all, early Internet deployment treated it as a
low priority.
As the requirement for networked computers became the dominant
style of computing, the ability to physically secure the physical
computer was lost, and the stored information became more exposed
to security threats.
The Present
Today, the Internet has brought millions of unsecured computer
networks into

communication with each other.

Our ability to secure each computers stored information is now
influenced by the
security on each computer to which it is connected.

What is Security?
In general, security is the quality or state of being secureto be free
from danger. It means to be protected from adversaries, from those
who would do harm, intentionally or otherwise.
A successful organization should have the following multiple layers of
security in place
for the protection of its operations:
Physical security to protect the physical items, objects, or areas of
an organization
from unauthorized access and misuse
Personal security to protect the individual or group of individuals
who are
authorized to access the organization and its operations
Operations security to protect the details of a particular
operation or series of
activities
Communications security to protect an organizations
communications media,
technology, and content
Network security to protect networking components,
connections, and contents
Information security to protect information assets
Information security, therefore, is the protection of information and its
critical elements, including the systems and hardware that use, store,
and transmit that information. But to protect the information and its
related systems from danger, tools, such as policy, awareness,
training, education, and technology, are necessary.
The C.I.A. triangle has been considered the industry standard for
computer security since the development of the mainframe. It was
solely based on three characteristics that described the utility of
information: confidentiality, integrity, and availability. The C.I.A.
triangle has expanded into a list of critical characteristics of
information.

Critical Characteristics of Information

The value of information comes from the characteristics it possesses.

Availability enables users who need to access information to do so

without interference
or obstruction and to retrieve that information in the required format.
Accuracy occurs when information is free from mistakes or errors and
has the value that the end user expects. If information contains a value
different from the users expectations due to the intentional or
unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather

than a reproduction or fabrication. Information is authentic when it is
the information that was originally created, placed, stored, or
transferred.
Confidentiality is the quality or state of preventing disclosure or
exposure to
unauthorized individuals or systems.
Integrity is the quality or state of being whole, complete, and
uncorrupted. The integrity of information is threatened when the
information is exposed to corruption, damage, destruction, or other
disruption of its authentic state.
Utility is the quality or state of having value for some purpose or end.
Information has value when it serves a particular purpose. This means
that if information is available, but not in a format meaningful to the
end user, it is not useful.
Possession is the quality or state of having ownership or control of
some object or item. Information is said to be in one's possession if
one obtains it, independent of format or other characteristics. While a
breach of confidentiality always results in a breach of possession, a
breach of possession does not always result in a breach of
confidentiality.

NSTISSC Security Model

The security model, as represented in Figure 1-4, shows the three
dimensions. If you extrapolate the three dimensions of each axis, you
end up with a 3 3 3 cube with 27 cells representing areas that
must be addressed to secure the information systems of today. Your
primary responsibility is to make sure that each of the 27 cells is
properly addressed during the security process.

Components of an Information System

To fully understand the importance of information security, it is
necessary to briefly review the elements of an information system. An
information system (IS) is much more than computer hardware; it is the
entire set of software, hardware, data, people, procedures, and

networks necessary to use information as a resource in the

organization.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Securing

Components

When considering the security of information systems components, it

is important to understand the concept of the computer as the subject
of an attack, as opposed to the computer as the object of an attack.
Computer as the Subject and Object of an Attack
When a computer is the subject of an attack, it is used as an active tool
to conduct the
attack. When a computer is the object of an attack, it is the entity
being attacked.
Balancing Information Security and Access
When considering information security, it is important to realize that it
is impossible to
obtain perfect security. Security is not an absolute; it is a process and
not a goal.
Security should be considered a balance between protection and
availability. To achieve
balance, the level of security must allow reasonable access, yet protect
against threats.
Approaches to Information Security Implementation
Security can begin as a grassroots effort when systems administrators
attempt to
improve the security of their systems. This is referred to as the bottom-
up approach.
The key advantage of the bottom-up approach is the technical
expertise of the individual administrators. Unfortunately, this
approach seldom works, as it lacks a number of critical features,
such as participant support and organizational staying power.
An alternative approach, which has a higher probability of success, is
called the top- down approach. The project is initiated by upper
management who issue policy, procedures, and processes, dictate the
goals and expected outcomes of the project, and determine who is
accountable for each of the required actions.
The top-down approach has strong upper-management support, a
dedicated champion, dedicated funding, clear planning, and the
opportunity to influence organizational culture.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
The most successful top-down approach also involves a formal
development strategy
referred to as a systems development life cycle.

The

Systems

Development Life

Cycle

Information security must be managed in a manner similar to any other

major system
implemented in the organization.
The best approach for implementing an information security system in
an organization with little or no formal security in place is to use a
variation of the systems development life cycle (SDLC): the security
systems development life cycle (SecSDLC).
Methodology and Phases
The SDLC is a methodology for the design and implementation of an
information system
in an organization.
A methodology is a formal approach to solving a problem based on a
structured sequence of procedures. Using a methodology ensures a
rigorous process and avoids missing those steps that can lead to
compromising the end goal. The goal is to create a comprehensive
security posture.
The entire process may be initiated in response to specific conditions or
combinations of
conditions.
The impetus to begin the SecSDLC may be event-driven, started in
response to some
occurrence, or plan-driven as a result of a carefully developed
implementation strategy.
At the end of each phase comes a structured review or reality check
during which the team determines if the project should be continued,
discontinued, outsourced, or postponed until additional expertise or
organizational knowledge is acquired.
Investigation
The first phase, investigation, is the most important. What is the
problem the system is being developed to solve? This phase begins
with an examination of the event or plan that initiates the process.
The objectives, constraints, and scope of the project are specified. A
preliminary cost/benefit analysis is developed to evaluate the

perceived benefits and the appropriate levels of cost an organization

is willing to expend to obtain those benefits.
A feasibility analysis is performed to assess the economic,
technical, and behavioral feasibilities of the process and to ensure
that implementation is worth the organizations time and effort.

Analysis
The analysis phase begins with the information learned during the
investigation phase. This phase consists primarily of assessments of
the organization, the status of current systems, and the capability to
support the proposed systems.
Analysts begin to determine what the new system is expected to do
and how it will interact with existing systems. The phase ends with
the documentation of the findings and a feasibility analysis update.
Logical Design
In the logical design phase, the information gained from the analysis
phase is used to
begin creating a solution system for a business problem.
Then, based on the business need, applications capable of providing
needed services are selected. Based on the applications needed, data
support and structures capable of providing the needed inputs are
selected.
Finally, based on all of the above, specific technologies are selected to
implement the
physical solution. In the end, another feasibility analysis is performed.
Physical Design
During the physical design phase, specific technologies are selected to
support the
alternatives identified and evaluated in the logical design.
The selected components are evaluated based on a make-or-buy
decision (develop in-
house or purchase from a vendor).
Final designs integrate various components and technologies.
After yet another feasibility analysis, the entire solution is presented to
the end-user
representatives for approval.
Implementation

In the implementation phase, any needed software is created.

Components are ordered,
received, and tested.
Afterwards, users are trained and supporting documentation is
created. Again, a feasibility analysis is prepared, and the users
are presented with the system for a performance review and
acceptance test.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Maintenance and Change
The maintenance and change phase is the longest and most expensive
phase of the process. This phase consists of the tasks necessary to
support and modify the system for the remainder of its useful life cycle.

Even though formal development may conclude during this phase, the
life cycle of the project continues until it is determined that the process
should begin again from the investigation phase. When the current
system can no longer support the changed mission of the organization,
the project is terminated and a new project is implemented.
Securing
the Systems Development Life Cycle
Each of the phases of the SDLC should include consideration of the
security of the system being assembled as well as the information it
uses. Such consideration means that each implementation of a
system is secure and does not risk compromising the confidentiality,
integrity, and availability of the organizations information assets.
NIST recommends that organizations incorporate the associated IT
security steps of
the included general SDLC into their development processes. (See
textbook pages 23-
25) It is imperative that information security be designed into a system
from its
inception, rather than added in during or after the implementation
phase.
Organizations are moving toward more security-focused development
approaches, seeking to improve not only the functionality of the
systems they have in place, but the confidence of the consumer in
their product.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
The

Security Systems

Development Life

Cycle

The same phases used in the traditional SDLC can be adapted to

support the specialized
implementation of a security project.
The fundamental process is the identification of specific threats and
the creation of specific controls to counter those threats. The SecSDLC
unifies the process and makes it a coherent program rather than a
series of random, seemingly unconnected actions.
Investigation
The investigation of the SecSDLC begins with a directive from
upper management, dictating the process, outcomes, and goals of
the project, as well as the constraints placed on the activity.
Frequently, this phase begins with an enterprise information
security policy (EISP) that outlines the implementation of security.
Teams of responsible managers, employees, and contractors are
organized; problems are analyzed; and the scope is defined, including
goals, objectives, and constraints not covered in the program policy.
Finally, an organizational feasibility analysis is performed to
determine whether the organization has the resources and
commitment necessary to conduct a successful security analysis
and design.
Analysis
In the analysis phase, the documents from the investigation phase
are studied. The development team conducts a preliminary
analysis of existing security policies or programs, along with
documented current threats and associated controls.
This phase also includes an analysis of relevant legal issues that could
impact the design
of the security solution.
The risk management taskidentifying, assessing, and evaluating the
levels of risk
facing the organizationalso begins in this stage.
Logical Design
The logical design phase creates and develops the blueprints for
security and examines and implements key policies that influence later
decisions. Also at this stage, critical planning is developed for incident
response actions to be taken in the event of partial or catastrophic loss.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Next, a feasibility analysis determines whether or not the project
should continue or be outsourced.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Physical Design
In the physical design phase, the security technology needed to
support the blueprint outlined in the logical design is evaluated,
alternative solutions are generated, and a final design is agreed
upon.
The security blueprint may be revisited to keep it synchronized with the
changes needed
when the physical design is completed.
Criteria needed to determine the definition of successful solutions is also
prepared
during this phase.
Included at this time are the designs for physical security measures to
support the
proposed technological solutions.
At the end of this phase, a feasibility study should determine the
readiness of the organization for the proposed project, and then the
champion and users are presented with the design. At this time, all
parties involved have a chance to approve the project before
implementation begins.
Implementation
The implementation phase is similar to the traditional SDLC.
The security solutions are acquired (made or bought), tested,
implemented, and tested
again.
Personnel issues are evaluated and specific training and education
programs are
conducted.
Finally, the entire tested package is presented to upper management
for final approval.
Maintenance and Change
The maintenance and change phase, though last, is perhaps the most
important, given
the high level of ingenuity in todays threats.
The reparation and restoration of information is a constant duel with an
often unseen
adversary.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
As new threats emerge and old threats evolve, the information
security profile of an organization requires constant adaptation to
prevent threats from successfully penetrating sensitive data.
Security

Professionals

and

the Organization

It takes a wide range of professionals to support a diverse information

security program.
To develop and execute specific security policies and procedures,
additional
administrative support and technical expertise is required.
Senior Management
Chief Information Officer: The senior technology officer, although
other titles such as vice president of information, VP of information
technology, and VP of systems may also be used. The CIO is primarily
responsible for advising the chief executive officer, president, or
company owner on the strategic planning that affects the management
of information in the organization.
Chief Information Security Officer: The individual primarily
responsible for the assessment, management, and implementation of
securing the information in the organization. The CISO may also be
referred to as the manager for security, the security administrator, or a
similar title.
Information Security Project Team
The security project team consists of a number of individuals who are
experienced in
one or multiple facets of the required technical and nontechnical areas.
Champion: A senior executive who promotes the project and ensures
its support, both
financially and administratively, at the highest levels of the
organization.
Team leader: A project manager, who may be a departmental line
manager or staff unit manager, who understands project management,
personnel management, and information security technical
requirements.
Security policy developers: Individuals who understand the
organizational culture, policies, and requirements for developing
and implementing successful policies. Risk assessment
specialists: Individuals who understand financial risk assessment

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
techniques, the value of organizational assets, and the security
methods to be used.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Security professionals: Dedicated, trained, and well-educated
specialists in all aspects of
information security from both a technical and nontechnical standpoint.

Systems administrators: Individuals whose primary responsibility is

administering the
systems that house the information used by the organization.
End users: Those whom the new system will most directly impact.
Ideally, a selection of users from various departments, levels, and
degrees of technical knowledge assist the team in focusing on the
application of realistic controls applied in ways that do not disrupt the
essential business activities they seek to safeguard.
Data Ownership
Now that you understand the responsibilities of both senior
management and the security project team, we can define the
roles of those who own and safeguard the data.
Data Owners: Those responsible for the security and use of a
particular set of information. Data owners usually determine the
level of data classification associated with the data, as well as
changes to that classification required by organizational change.
Data Custodians: Those responsible for the storage, maintenance,
and protection of the information. The duties of a data custodian often
include overseeing data storage and backups, implementing the
specific procedures and policies laid out in the security policies and
plans, and reporting to the data owner.
Data Users: End users who work with the information to perform
their daily jobs supporting the mission of the organization. Everyone
in the organization is responsible for the security of data, so data
users are included here as individuals with an information security
role.
Communities of Interest
Each organization develops and maintains its own unique culture and
values. Within each organizational culture, there are communities of
interest. As defined here, a community of interest is a group of
individuals who are united by similar interests or values within an
organization and who share a common goal of helping the organization
to meet its objectives.

There can be many different communities of interest in an

organization. The three that are most often encountered, and which
have roles and responsibilities in information security, are listed here.
In theory, each role must complement the other but this is often not
the case.
Information security management and professionals
Information technology management and professionals
Organizational management and professionals

Information Security: Is it an Art or a Science?

With the level of complexity in todays information systems, the
implementation of
information security has often been described as a combination of art
and science.
The concept of the security artesan is based on the way individuals
have perceived
systems technologists since computers became commonplace.
Security as Art
There are no hard and fast rules regulating the installation of various
security
mechanisms. Nor are there many universally accepted complete
solutions.
While there are many manuals to support individual systems, once
these systems are interconnected, there is no magic users manual for
the security of the entire system. This is especially true with the
complex levels of interaction between users, policy, and technology
controls.
Security as Science
We are dealing with technology developed by computer scientists and
engineers
technology designed to operate at rigorous levels of performance.
Even with the complexity of the technology, most scientists would
agree that specific scientific conditions cause virtually all actions that
occur in computer systems. Almost every fault, security hole, and

systems malfunction is a result of the interaction of specific hardware

and software.
If developers had sufficient time, they could resolve and eliminate
these faults.
Security as a Social Science
There is a third view: security as a social science.

Social science examines the behavior of individuals as they interact

with systems,
whether societal systems or, in our case, information systems.
Security begins and ends with the people inside the organization and
the people that
interact with the system, planned or otherwise.
End users who need the very information the security personnel are
trying to protect
may be the weakest link in the security chain.
By understanding some of the behavioral aspects of organizational
science and change management, security administrators can greatly
reduce the levels of risk caused by end users, and they can create
more acceptable and supportable security profiles.

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
Review Questions
1.
What type of security was dominant in the early years of
computing?
2.
Who is known as the founder of the Internet? To what project
does it trace its
origin? Who initiated this project and for what purpose?
3.
What layers of security should a successful organization have in
place to protect
its operations?
4.

The McCumber Cube is a 3x3x3 cube with 27 cells

representing areas that must be addressed to secure todays
information systems. List the three dimensions along each of
the three axes.

5.
What are the three components of the CIA triangle? What are
they used for?
6.
If the C.I.A. triangle is incomplete, why is it so commonly used
in security?
7.
Describe the critical characteristics of information. How are
they used in the
study of computer security?
8.

Identify the six components of an information system. Which

are most directly impacted by the study of computer security?
Which are most commonly associated with this study?

9.
In the history of the study of computer security, what system is
the father of
almost all multi-user systems?
10.
What paper is the foundation of all subsequent studies of
computer security?
11.
How is the top down approach to information security superior
to the bottom up
approach?
12.

Why is a methodology important in the implementation of

information security? How does a methodology improve the
process?

13.
Who is involved in the security development life cycle? Who
leads the process?
14.
How does the practice of information security qualify as both an
art and a
science? How does security as a social science influence its
practice?
15.
Who is ultimately responsible for the security of information in
the organization?
16.
What is the relationship between the MULTICS project and early
development of

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
computer security?
17.
How has computer security evolved into modern information
security?
18.

What was important about Rand Report R-609?

Systems Plus College Foundation College of Computing and Information Sciences

Information Assurance Security System
19.

Describe the difference between a computer being the

subject of an attack and the object of an attack. What is
the difference between a direct and indirect attack? Is it
possible for one computer to be both the subject of an attack
and the object of an attack? Is so, how?

20:
Who should lead a security team? Should the approach to
security be more
managerial or technical?